wannacry | hxxp://g

Analysis

max time kernel
253s
max time network
264s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
07-01-2025 00:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://g

Score

10^/10

wannacry defense_evasion discovery execution impact persistence ransomware spyware stealer worm

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94 Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Wannacry family
wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Downloads MZ/PE file

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD760F.tmp	WannaCry.EXE
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD7616.tmp	WannaCry.EXE

Executes dropped EXE 18 IoCs

pid	Process
3288	WannaCry.EXE
4548	taskdl.exe
892	WannaCry.EXE
6032	@[email protected]
2280	@[email protected]
3036	taskhsvc.exe
4948	taskdl.exe
2536	taskse.exe
4996	@[email protected]
3376	taskdl.exe
1932	taskse.exe
772	@[email protected]
5808	taskse.exe
2944	taskdl.exe
6112	@[email protected]
4536	taskse.exe
4600	@[email protected]
2176	taskdl.exe

Loads dropped DLL 8 IoCs

pid	Process
3036	taskhsvc.exe
3036	taskhsvc.exe
3036	taskhsvc.exe
3036	taskhsvc.exe
3036	taskhsvc.exe
3036	taskhsvc.exe
3036	taskhsvc.exe
3036	taskhsvc.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
852	icacls.exe
4848	icacls.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\plwzuibnuhpvcwq775 = "\"C:\\Users\\Admin\\Downloads\\tasksche.exe\""	reg.exe

File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
4	raw.githubusercontent.com
84	camo.githubusercontent.com
133	camo.githubusercontent.com
142	raw.githubusercontent.com

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	WannaCry.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\WannaCry.EXE:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 31 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCry.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FileCoAuth.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCry.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 4 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
5380	reg.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\WannaCry.EXE:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
5644	msedge.exe
5644	msedge.exe
5408	msedge.exe
5408	msedge.exe
1900	msedge.exe
1900	msedge.exe
2380	identity_helper.exe
2380	identity_helper.exe
4448	msedge.exe
4448	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
3036	taskhsvc.exe
3036	taskhsvc.exe
3036	taskhsvc.exe
3036	taskhsvc.exe
3036	taskhsvc.exe
3036	taskhsvc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4996	@[email protected]

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 36 IoCs

pid	Process
5408	msedge.exe
5408	msedge.exe
5408	msedge.exe
5408	msedge.exe
5408	msedge.exe
5408	msedge.exe
5408	msedge.exe
5408	msedge.exe
5408	msedge.exe
5408	msedge.exe
5408	msedge.exe
5408	msedge.exe
5408	msedge.exe
5408	msedge.exe
5408	msedge.exe
5408	msedge.exe
5408	msedge.exe
5408	msedge.exe
5408	msedge.exe
5408	msedge.exe
5408	msedge.exe
5408	msedge.exe
5408	msedge.exe
5408	msedge.exe
5408	msedge.exe
5408	msedge.exe
5408	msedge.exe
5408	msedge.exe
5408	msedge.exe
5408	msedge.exe
5408	msedge.exe
5408	msedge.exe
5408	msedge.exe
5408	msedge.exe
5408	msedge.exe
5408	msedge.exe

Suspicious use of AdjustPrivilegeToken 53 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2356	WMIC.exe
Token: SeSecurityPrivilege	2356	WMIC.exe
Token: SeTakeOwnershipPrivilege	2356	WMIC.exe
Token: SeLoadDriverPrivilege	2356	WMIC.exe
Token: SeSystemProfilePrivilege	2356	WMIC.exe
Token: SeSystemtimePrivilege	2356	WMIC.exe
Token: SeProfSingleProcessPrivilege	2356	WMIC.exe
Token: SeIncBasePriorityPrivilege	2356	WMIC.exe
Token: SeCreatePagefilePrivilege	2356	WMIC.exe
Token: SeBackupPrivilege	2356	WMIC.exe
Token: SeRestorePrivilege	2356	WMIC.exe
Token: SeShutdownPrivilege	2356	WMIC.exe
Token: SeDebugPrivilege	2356	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2356	WMIC.exe
Token: SeRemoteShutdownPrivilege	2356	WMIC.exe
Token: SeUndockPrivilege	2356	WMIC.exe
Token: SeManageVolumePrivilege	2356	WMIC.exe
Token: 33	2356	WMIC.exe
Token: 34	2356	WMIC.exe
Token: 35	2356	WMIC.exe
Token: 36	2356	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2356	WMIC.exe
Token: SeSecurityPrivilege	2356	WMIC.exe
Token: SeTakeOwnershipPrivilege	2356	WMIC.exe
Token: SeLoadDriverPrivilege	2356	WMIC.exe
Token: SeSystemProfilePrivilege	2356	WMIC.exe
Token: SeSystemtimePrivilege	2356	WMIC.exe
Token: SeProfSingleProcessPrivilege	2356	WMIC.exe
Token: SeIncBasePriorityPrivilege	2356	WMIC.exe
Token: SeCreatePagefilePrivilege	2356	WMIC.exe
Token: SeBackupPrivilege	2356	WMIC.exe
Token: SeRestorePrivilege	2356	WMIC.exe
Token: SeShutdownPrivilege	2356	WMIC.exe
Token: SeDebugPrivilege	2356	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2356	WMIC.exe
Token: SeRemoteShutdownPrivilege	2356	WMIC.exe
Token: SeUndockPrivilege	2356	WMIC.exe
Token: SeManageVolumePrivilege	2356	WMIC.exe
Token: 33	2356	WMIC.exe
Token: 34	2356	WMIC.exe
Token: 35	2356	WMIC.exe
Token: 36	2356	WMIC.exe
Token: SeBackupPrivilege	1948	vssvc.exe
Token: SeRestorePrivilege	1948	vssvc.exe
Token: SeAuditPrivilege	1948	vssvc.exe
Token: SeTcbPrivilege	2536	taskse.exe
Token: SeTcbPrivilege	2536	taskse.exe
Token: SeTcbPrivilege	1932	taskse.exe
Token: SeTcbPrivilege	1932	taskse.exe
Token: SeTcbPrivilege	5808	taskse.exe
Token: SeTcbPrivilege	5808	taskse.exe
Token: SeTcbPrivilege	4536	taskse.exe
Token: SeTcbPrivilege	4536	taskse.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
5408	msedge.exe
5408	msedge.exe
5408	msedge.exe
5408	msedge.exe
5408	msedge.exe
5408	msedge.exe
5408	msedge.exe
5408	msedge.exe
5408	msedge.exe
5408	msedge.exe
5408	msedge.exe
5408	msedge.exe
5408	msedge.exe
5408	msedge.exe
5408	msedge.exe
5408	msedge.exe
5408	msedge.exe
5408	msedge.exe
5408	msedge.exe
5408	msedge.exe
5408	msedge.exe
5408	msedge.exe
5408	msedge.exe
5408	msedge.exe
5408	msedge.exe
5408	msedge.exe
5408	msedge.exe
5408	msedge.exe
5408	msedge.exe
5408	msedge.exe
5408	msedge.exe
5408	msedge.exe
5408	msedge.exe
5408	msedge.exe
5408	msedge.exe

Suspicious use of SendNotifyMessage 14 IoCs

pid	Process
5408	msedge.exe
5408	msedge.exe
5408	msedge.exe
5408	msedge.exe
5408	msedge.exe
5408	msedge.exe
5408	msedge.exe
5408	msedge.exe
5408	msedge.exe
5408	msedge.exe
5408	msedge.exe
5408	msedge.exe
5408	msedge.exe
5408	msedge.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
6032	@[email protected]
6032	@[email protected]
2280	@[email protected]
2280	@[email protected]
4996	@[email protected]
4996	@[email protected]
772	@[email protected]
6112	@[email protected]
4600	@[email protected]
5520	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5408 wrote to memory of 2500	5408	msedge.exe	77
PID 5408 wrote to memory of 2500	5408	msedge.exe	77
PID 5408 wrote to memory of 5480	5408	msedge.exe	78
PID 5408 wrote to memory of 5480	5408	msedge.exe	78
PID 5408 wrote to memory of 5480	5408	msedge.exe	78
PID 5408 wrote to memory of 5480	5408	msedge.exe	78
PID 5408 wrote to memory of 5480	5408	msedge.exe	78
PID 5408 wrote to memory of 5480	5408	msedge.exe	78
PID 5408 wrote to memory of 5480	5408	msedge.exe	78
PID 5408 wrote to memory of 5480	5408	msedge.exe	78
PID 5408 wrote to memory of 5480	5408	msedge.exe	78
PID 5408 wrote to memory of 5480	5408	msedge.exe	78
PID 5408 wrote to memory of 5480	5408	msedge.exe	78
PID 5408 wrote to memory of 5480	5408	msedge.exe	78
PID 5408 wrote to memory of 5480	5408	msedge.exe	78
PID 5408 wrote to memory of 5480	5408	msedge.exe	78
PID 5408 wrote to memory of 5480	5408	msedge.exe	78
PID 5408 wrote to memory of 5480	5408	msedge.exe	78
PID 5408 wrote to memory of 5480	5408	msedge.exe	78
PID 5408 wrote to memory of 5480	5408	msedge.exe	78
PID 5408 wrote to memory of 5480	5408	msedge.exe	78
PID 5408 wrote to memory of 5480	5408	msedge.exe	78
PID 5408 wrote to memory of 5480	5408	msedge.exe	78
PID 5408 wrote to memory of 5480	5408	msedge.exe	78
PID 5408 wrote to memory of 5480	5408	msedge.exe	78
PID 5408 wrote to memory of 5480	5408	msedge.exe	78
PID 5408 wrote to memory of 5480	5408	msedge.exe	78
PID 5408 wrote to memory of 5480	5408	msedge.exe	78
PID 5408 wrote to memory of 5480	5408	msedge.exe	78
PID 5408 wrote to memory of 5480	5408	msedge.exe	78
PID 5408 wrote to memory of 5480	5408	msedge.exe	78
PID 5408 wrote to memory of 5480	5408	msedge.exe	78
PID 5408 wrote to memory of 5480	5408	msedge.exe	78
PID 5408 wrote to memory of 5480	5408	msedge.exe	78
PID 5408 wrote to memory of 5480	5408	msedge.exe	78
PID 5408 wrote to memory of 5480	5408	msedge.exe	78
PID 5408 wrote to memory of 5480	5408	msedge.exe	78
PID 5408 wrote to memory of 5480	5408	msedge.exe	78
PID 5408 wrote to memory of 5480	5408	msedge.exe	78
PID 5408 wrote to memory of 5480	5408	msedge.exe	78
PID 5408 wrote to memory of 5480	5408	msedge.exe	78
PID 5408 wrote to memory of 5480	5408	msedge.exe	78
PID 5408 wrote to memory of 5644	5408	msedge.exe	79
PID 5408 wrote to memory of 5644	5408	msedge.exe	79
PID 5408 wrote to memory of 4556	5408	msedge.exe	80
PID 5408 wrote to memory of 4556	5408	msedge.exe	80
PID 5408 wrote to memory of 4556	5408	msedge.exe	80
PID 5408 wrote to memory of 4556	5408	msedge.exe	80
PID 5408 wrote to memory of 4556	5408	msedge.exe	80
PID 5408 wrote to memory of 4556	5408	msedge.exe	80
PID 5408 wrote to memory of 4556	5408	msedge.exe	80
PID 5408 wrote to memory of 4556	5408	msedge.exe	80
PID 5408 wrote to memory of 4556	5408	msedge.exe	80
PID 5408 wrote to memory of 4556	5408	msedge.exe	80
PID 5408 wrote to memory of 4556	5408	msedge.exe	80
PID 5408 wrote to memory of 4556	5408	msedge.exe	80
PID 5408 wrote to memory of 4556	5408	msedge.exe	80
PID 5408 wrote to memory of 4556	5408	msedge.exe	80
PID 5408 wrote to memory of 4556	5408	msedge.exe	80
PID 5408 wrote to memory of 4556	5408	msedge.exe	80
PID 5408 wrote to memory of 4556	5408	msedge.exe	80
PID 5408 wrote to memory of 4556	5408	msedge.exe	80
PID 5408 wrote to memory of 4556	5408	msedge.exe	80
PID 5408 wrote to memory of 4556	5408	msedge.exe	80

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3136	attrib.exe
4616	attrib.exe
1600	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument http://g
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffaf6b93cb8,0x7ffaf6b93cc8,0x7ffaf6b93cd8
  2⤵
  PID:2500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1864,11301404452418314785,7121471539527061979,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1884 /prefetch:2
  2⤵
  PID:5480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1864,11301404452418314785,7121471539527061979,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1992 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1864,11301404452418314785,7121471539527061979,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2532 /prefetch:8
  2⤵
  PID:4556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,11301404452418314785,7121471539527061979,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3128 /prefetch:1
  2⤵
  PID:5096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,11301404452418314785,7121471539527061979,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3180 /prefetch:1
  2⤵
  PID:660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,11301404452418314785,7121471539527061979,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4488 /prefetch:1
  2⤵
  PID:3188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,11301404452418314785,7121471539527061979,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3584 /prefetch:1
  2⤵
  PID:3728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1864,11301404452418314785,7121471539527061979,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4660 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,11301404452418314785,7121471539527061979,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5188 /prefetch:1
  2⤵
  PID:2268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,11301404452418314785,7121471539527061979,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5620 /prefetch:1
  2⤵
  PID:3664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,11301404452418314785,7121471539527061979,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5640 /prefetch:1
  2⤵
  PID:3852
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1864,11301404452418314785,7121471539527061979,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5972 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,11301404452418314785,7121471539527061979,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5516 /prefetch:1
  2⤵
  PID:2152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,11301404452418314785,7121471539527061979,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5684 /prefetch:1
  2⤵
  PID:3004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,11301404452418314785,7121471539527061979,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
  2⤵
  PID:4788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,11301404452418314785,7121471539527061979,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3592 /prefetch:1
  2⤵
  PID:3556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,11301404452418314785,7121471539527061979,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3456 /prefetch:1
  2⤵
  PID:1124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,11301404452418314785,7121471539527061979,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4448 /prefetch:1
  2⤵
  PID:4708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,11301404452418314785,7121471539527061979,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4776 /prefetch:1
  2⤵
  PID:4772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,11301404452418314785,7121471539527061979,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
  2⤵
  PID:6136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,11301404452418314785,7121471539527061979,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3544 /prefetch:1
  2⤵
  PID:2408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,11301404452418314785,7121471539527061979,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2780 /prefetch:1
  2⤵
  PID:3328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,11301404452418314785,7121471539527061979,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5732 /prefetch:1
  2⤵
  PID:2628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,11301404452418314785,7121471539527061979,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1236 /prefetch:1
  2⤵
  PID:3848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,11301404452418314785,7121471539527061979,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1184 /prefetch:1
  2⤵
  PID:2428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,11301404452418314785,7121471539527061979,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6140 /prefetch:1
  2⤵
  PID:1956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,11301404452418314785,7121471539527061979,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6580 /prefetch:1
  2⤵
  PID:324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,11301404452418314785,7121471539527061979,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4812 /prefetch:1
  2⤵
  PID:244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,11301404452418314785,7121471539527061979,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6820 /prefetch:1
  2⤵
  PID:1036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,11301404452418314785,7121471539527061979,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7128 /prefetch:1
  2⤵
  PID:2336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,11301404452418314785,7121471539527061979,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6368 /prefetch:1
  2⤵
  PID:1792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,11301404452418314785,7121471539527061979,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2492 /prefetch:1
  2⤵
  PID:3036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,11301404452418314785,7121471539527061979,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7424 /prefetch:1
  2⤵
  PID:5032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,11301404452418314785,7121471539527061979,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7684 /prefetch:1
  2⤵
  PID:3392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,11301404452418314785,7121471539527061979,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6980 /prefetch:1
  2⤵
  PID:5728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,11301404452418314785,7121471539527061979,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7936 /prefetch:1
  2⤵
  PID:5104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,11301404452418314785,7121471539527061979,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8116 /prefetch:1
  2⤵
  PID:5780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,11301404452418314785,7121471539527061979,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6728 /prefetch:1
  2⤵
  PID:5316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,11301404452418314785,7121471539527061979,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7688 /prefetch:1
  2⤵
  PID:5664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,11301404452418314785,7121471539527061979,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8260 /prefetch:1
  2⤵
  PID:1092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,11301404452418314785,7121471539527061979,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8636 /prefetch:1
  2⤵
  PID:3720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1864,11301404452418314785,7121471539527061979,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8288 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1864,11301404452418314785,7121471539527061979,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=8092 /prefetch:8
  2⤵
  PID:3516
- C:\Users\Admin\Downloads\WannaCry.EXE
  "C:\Users\Admin\Downloads\WannaCry.EXE"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  PID:3288
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h .
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:3136
- - C:\Windows\SysWOW64\icacls.exe
    icacls . /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:852
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4548
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 157851736208914.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1136
  - - C:\Windows\SysWOW64\cscript.exe
      cscript.exe //nologo m.vbs
      4⤵
      System Location Discovery: System Language Discovery
      PID:4748
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h +s F:\$RECYCLE
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:4616
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected] co
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:6032
  - - C:\Users\Admin\Downloads\TaskData\Tor\taskhsvc.exe
      TaskData\Tor\taskhsvc.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:3036
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c start /b @[email protected] vs
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1940
  - - C:\Users\Admin\Downloads\@[email protected]
      @[email protected] vs
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2280
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5292
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2356
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4948
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2536
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - Sets desktop wallpaper using registry
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:4996
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "plwzuibnuhpvcwq775" /t REG_SZ /d "\"C:\Users\Admin\Downloads\tasksche.exe\"" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3856
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "plwzuibnuhpvcwq775" /t REG_SZ /d "\"C:\Users\Admin\Downloads\tasksche.exe\"" /f
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:5380
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3376
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1932
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:772
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:5808
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2944
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:6112
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4536
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4600
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1864,11301404452418314785,7121471539527061979,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=9080 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4760
- C:\Users\Admin\Downloads\WannaCry.EXE
  "C:\Users\Admin\Downloads\WannaCry.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:892
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h .
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:1600
- - C:\Windows\SysWOW64\icacls.exe
    icacls . /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:4848

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2620

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2580

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1948

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2008

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:1848

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:3892

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:5888

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
- System Location Discovery: System Language Discovery
PID:3308

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:5520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\@[email protected]

Filesize
585B

MD5
4d82ed7b8d91d29b5a48d44abcac1c9e

SHA1
f6567803a2f6f94dc4b8b9d17e6f6adef1ba8603

SHA256
3637ad1bcef5a57f306774b22ef9a51c0c78d62f3f59db1196b902629bb052bf

SHA512
630600b94dfbc3b330da95d5080a5470de844ee41262cdc7be5e62399013927639acfdeea7c7e82ec9120a5466f0eb9271a5d0ce52c029366f81ca2e4d91e9e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c0a1774f8079fe496e694f35dfdcf8bc

SHA1
da3b4b9fca9a3f81b6be5b0cd6dd700603d448d3

SHA256
c041da0b90a5343ede7364ccf0428852103832c4efa8065a0cd1e8ce1ff181cb

SHA512
60d9e87f8383fe3afa2c8935f0e5a842624bb24b03b2d8057e0da342b08df18cf70bf55e41fa3ae54f73bc40a274cf6393d79ae01f6a1784273a25fa2761728b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e11c77d0fa99af6b1b282a22dcb1cf4a

SHA1
2593a41a6a63143d837700d01aa27b1817d17a4d

SHA256
d96f9bfcc81ba66db49a3385266a631899a919ed802835e6fb6b9f7759476ea0

SHA512
c8f69f503ab070a758e8e3ae57945c0172ead1894fdbfa2d853e5bb976ed3817ecc8f188eefd5092481effd4ef650788c8ff9a8d9a5ee4526f090952d7c859f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\3ae2cd3c-41d5-4030-9f8c-4e39033349c3.tmp

Filesize
5KB

MD5
f11604a34f7d100b66f71af22845a22d

SHA1
05bafd892e44110ec43b2c933ec8ab505909cefc

SHA256
9fb8b2d9cf16bc941a9a59b33f308b1b67073e7f85e164fa69884166dd36a04f

SHA512
185c8b1c566ab54ed569dbe7e85066fc7334660c3389ae8f29c66509588e80767e412e1809464675d7dc656db690a99ecea177e81ea66b5b62eb9f29c09d8c9a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
47KB

MD5
0d89f546ebdd5c3eaa275ff1f898174a

SHA1
339ab928a1a5699b3b0c74087baa3ea08ecd59f5

SHA256
939eb90252495d3af66d9ec34c799a5f1b0fc10422a150cf57fc0cd302865a3e

SHA512
26edc1659325b1c5cf6e3f3cd9a38cd696f67c4a7c2d91a5839e8dcbb64c4f8e9ce3222e0f69d860d088c4be01b69da676bdc4517de141f8b551774909c30690

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
62KB

MD5
c813a1b87f1651d642cdcad5fca7a7d8

SHA1
0e6628997674a7dfbeb321b59a6e829d0c2f4478

SHA256
df670e09f278fea1d0684afdcd0392a83d7041585ba5996f7b527974d7d98ec3

SHA512
af0d024ba1faafbd6f950c67977ed126827180a47cea9758ee51a95d13436f753eb5a7aa12a9090048a70328f6e779634c612aebde89b06740ffd770751e1c5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
67KB

MD5
69df804d05f8b29a88278b7d582dd279

SHA1
d9560905612cf656d5dd0e741172fb4cd9c60688

SHA256
b885987a52236f56ce7a5ca18b18533e64f62ab64eb14050ede93c93b5bd5608

SHA512
0ef49eeeeb463da832f7d5b11f6418baa65963de62c00e71d847183e0035be03e63c097103d30329582fe806d246e3c0e3ecab8b2498799abbb21d8b7febdc0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
65KB

MD5
56d57bc655526551f217536f19195495

SHA1
28b430886d1220855a805d78dc5d6414aeee6995

SHA256
f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4

SHA512
7814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
26KB

MD5
5dea626a3a08cc0f2676427e427eb467

SHA1
ad21ac31d0bbdee76eb909484277421630ea2dbd

SHA256
b19581c0e86b74b904a2b3a418040957a12e9b5ae6a8de07787d8bb0e4324ed6

SHA512
118016178abe2c714636232edc1e289a37442cc12914b5e067396803aa321ceaec3bcfd4684def47a95274bb0efd72ca6b2d7bc27bb93467984b84bc57931fcc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000032

Filesize
18KB

MD5
7d54dd3fa3c51a1609e97e814ed449a0

SHA1
860bdd97dcd771d4ce96662a85c9328f95b17639

SHA256
7a258cd27f674e03eafc4f11af7076fb327d0202ce7a0a0e95a01fb33c989247

SHA512
17791e03584e77f2a6a03a7e3951bdc3220cd4c723a1f3be5d9b8196c5746a342a85226fcd0dd60031d3c3001c6bdfee0dcc21d7921ea2912225054d7f75c896

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
910be05c7ab4e747861707fba8383179

SHA1
af93edcfde1706fa46be6dcef320201568439a1e

SHA256
946c4aa3dc0196b6afa66cd71515c6f38599c48d7d53cdace48621078b449a8f

SHA512
f8d37badf0497776e3a6a1bcfa3938a5482787e297c208bea9aa724b7a1fbf2ed9c1694fad93484c759d4b37a8807eac6ee1759acff28ac8f7b1fda6fd63f281

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
440cf5511ae06eb8ea3a85caa5783efc

SHA1
76c9cc4e5d3113793e097cde45eea09c6cc7f9f5

SHA256
d0f447900249e3e652bcda6b70978a739b694e391351c9951142c50fc7ff9cf9

SHA512
ae2a693fe6359c04f66eb56e4f0ed6c9a132b24dad4b95915cd43c7aa06b11af4f799360b6085815cafefda7bae98069322a09bf008bd0c4ccd586d15297222c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
6KB

MD5
b3b4261605b92a003f72e6443c014ea0

SHA1
5d27eb8e791412151f79476411c1509edc8705fc

SHA256
3d921e2c505569645ce0239469c4b899c9cd25e1af336d4a71805c535758d687

SHA512
f999abe1540762b1a2dce10e4ac6a45284f8c6b70edee8ceb8f35134c4c862934fe241986bbe04f1a7607f288776987bcf93d2720d10ec3bcf3caa051069f8ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
6KB

MD5
dd2424dfdde4ea04f3b018ea5174f272

SHA1
51dec8b1b574cf6234b06f1b2020a80c782b8105

SHA256
12708d31c91b7e8202ddf6d95f43ec23678c9095568df0160c4c8506b85214d1

SHA512
0919a79e26a94141a73a9d2525fada7258a186ab1d8f4b0eb1e154043b03fedd1c2a00cea73ef0e751f4d8c212da7af37b26eb72a006d83029906684e3c28ed0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
1b42cdfe96ffc88465b85679ed02b308

SHA1
9b6fb671f96c35c4fab3f58990a6b3a4631cea72

SHA256
6bdbeda8e362e3828a66524f1600b53c38165a9460156aae8f028c0fd88b451a

SHA512
5a11b383a8727d79e24d955adf21d004bf75fd3618098c5218a80b73ffa52867e62554275486b1ae1e7fbc6b73107e5093b94db9c55dea2be8999495efb50e31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
90e1a0edcab2c7a1de9a2dcf1caeead6

SHA1
26daec5cb176ef83ddbc0cd9f344734bcdc25dd9

SHA256
5cf31f7e39f057dfed1696c5b4a3ed1732bf62ca62125dd52b99a34b2b5e9184

SHA512
2fa083fc07c0d2210ca21c6a7263068bc643367451a03d237d3654f0f7f7dfdafc7e58433aee4594ac58fbb5a33917b312a04f9ddf8c1b7a67638421a348a9b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
2a550df03ad977e736de4d22f55d3b28

SHA1
02cc02e7e61b4dc3a018bee4d12950e78a106c2e

SHA256
2ffd610daaf32d0f17da123646f57804b4c2a156f8260ff4d33c6936f571ca05

SHA512
e9c75c565ebb920980f5fd00d10cab2f098e939dc84d1f4a143c4ce64d69d2d5b513b81db163be2b024d9f2729081e2efd4e1cbb39043c9d351b1da3221a01f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
45c3158e37d86b051eed909351b30721

SHA1
e093bf719c4dc6c9cc7eed1349ae913730a3d364

SHA256
595332f628008fb7a367b9ca5137ee2acc8e3911b74598073e360b7bffbf6a50

SHA512
d04acfd8c281dd434c498c81622b4cf64f3c60cce8cc9f41f9e1dfedea22b9b04eb6b4af01d0a9b6792d4a66ceded610e7ad7bd39774509def315d4e3c6274e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
b70cd857df7ae6608e6388418e753ecc

SHA1
3727fe12c8818181ef7c0ba38ad41f1cff9bb1e7

SHA256
5e701ec60a2197e6d209b48a129aaa596c25a967ab9ee95ab4f040f1bcd65d36

SHA512
92c46e61c90ec62816302af2cb6fbd4a100db38c66c0383cc77b95fd70be883112e5aaecdb453039a7682778bfafc873c12be6ce02c43a562073faf274775d9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
92321db24f1c5cec93f4e97a3d35088f

SHA1
027ea9c046a6e6bd2901851babfcc50845cc6771

SHA256
7f534a515387ba29e14853d9479d429673c2a2a83fd49af4b3c1a23f54862438

SHA512
d7f36e6bee286e97b7deabd63227b115910d9a2249b7e461347eedde421b9409ac8f69b5ecce3193001cb61571a6b993121bab3621c30cb4ecb14c96cfc9aed3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
4ec24132b00770c21d32774db395b300

SHA1
62960f32091214712d9dfe41fd80a3c335bfa001

SHA256
3c983e802e8e4bb2f54f43aaa9eeda6f40f7706726ce068f93dd7693e97fe75e

SHA512
2c7cdbef8bf7b4f9dd1fdbae73c15003cb33f855c42f53deaa268d551b9368fc01fe6af5b00747a902cac1b06a71c87169719d2889174656a27d3f8c1df4796f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
604f665b855be6aab335ac5605b78c30

SHA1
fe0845133ed485a3e649204b30e2d57ff218a6ff

SHA256
5fd9619c48f3b9c102fdcb94ace21fa1727da63a70b116111ea7f90977fdd292

SHA512
fddc30e3e1a0c16d891ff62f0c5a972fca722440097552f2c268f2dd2c05857ce22a8904badf6d05a9b97931ee24399b36dfe2da53ec87f7aec8edebbc8b53f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe584ea8.TMP

Filesize
48B

MD5
59915c781a87f1f3627188a40923c842

SHA1
fe24b622c69f8ad009ec0c52de399023c1cd3af0

SHA256
725ae3b5acb897a3db5f7a896a5ffd075e1a930a6ea7bd3dc0a665015517bef9

SHA512
1e140b3dd240071f9f6136ee7a7f053f2182901a2aa14e153470f9e420bd42e06f34546048d5edfdb5955d22157ce858e1fe66d31e7e6c81ec96218f393a18fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
24be075c4677b21b2a977adb65b77b63

SHA1
29744ed1ceff55b45aa13f00f410c0fb1bc67023

SHA256
bd4f9ade0e3d96ead007b24577a811fd1e2a753fbdb1d13e8d348f9f0b56d9eb

SHA512
a297b4d8d9a36266ccd5b377b665c0704e3f68de0a12f6ee50e103508bc9a6b8f7bb64294926b5b21b689a2a05c707000adf92e0f9cc35ec8ca4faaf61855d0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
3ede2b22542a37d40533cda3d5ae3e36

SHA1
9d46cfa6679c8313021878c1f5fff006af9e0323

SHA256
0643c063c3bbf8fd92fe2630d829b29f4b6f3e779588a09c882de2952efce5ad

SHA512
98056db8b89d8c520b5ed9aeb558f64d319f006c669ad7f3e5eb512a124fd573ab98e88d4b3fe0892caeacb4ffea557cbac401de228cf42b46498281f54adc84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
00854ed47f944a484897aa5b259abc0c

SHA1
6e4898712832e478a36be0a7556e33e7f561797e

SHA256
5dc80b36aac7c1d4da71c1137de8fba7d517bd3afa5200625a60b82e7dcab10c

SHA512
914469b53b701956b8ed1c6b139bb16267c0d6807ad9c845bc7f220c4ea6dee85d5c14e6e25ef0e9e9c50117914ed2dfcd8244b30467d2ef0bdda694dcd37321

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
c0aeefb6dd86dad29a09d225c2816296

SHA1
dcd5ec9324705e323b5cf3e4faa3f45a9a4e9558

SHA256
c4c6f959f21e363007e81d25e5d7df1c742515c33497ca9b0741d9266de6a76e

SHA512
31053e187528680df1218533877987ade299e5341c34731c8806efa6d8575b7c2f9e137360ce1fb75b610372cd775f4182e0ab88843c8b066846813f12970ab2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
7659653df30c9e8cc485ee0ef5dfcbe4

SHA1
507832046017764e4790a94c3b6b8a1c283931f9

SHA256
572a306c927336c9efa2d13b734f606ab54158befdf50e2639ecd2439c97e1b9

SHA512
869a9ced3e1efa5cce7dbf3a719f0c8bb4a173f6761c2d98b931e7c08bfc9b1ebd4bef60a40759b46ea9d1cdcbfaba9aa99088b2dba6f5708b4c5ad13cba87ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
1fed9f6a2a9634fee0ed23583956177d

SHA1
5ff2306b1e6ba7d51f230f8fcf7a1c412349660b

SHA256
48ec91c2f042af0519f6824687b8e69c39d553aa50453c56ee7d77d830001a60

SHA512
0204fd3d5ee5fc41cd81dfef0f0fead9fccbd60ace2bcb2f4ad36b8ff7c9ed5be1e42709d8a1038d1f31129ecd06fcda684a68f17b4f3aeb0b5aeb30c50a061a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe583bfa.TMP

Filesize
1KB

MD5
1850a0ae10780e1598c85fcc4adaaf03

SHA1
4001bf1aac4c3610c0921626cf0cb68eca5ef5dd

SHA256
c0d0e740923c7e17af84a2137070dedad3e2cc91739e9ad4bb9c3edff2559fb3

SHA512
72916a6e807ffd5f301ba411726766916e3ceaf7f2322518e43b2ce9fd0b42f7a287a2cfeaf11c63d34abd45a71c3e9e8c0809a7422780fb666f1b3dd8f11ae6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\e42293e0-1ea7-4c12-bc85-be31dc25ca12.tmp

Filesize
10KB

MD5
caf091bfd76e490713a059f7db698a98

SHA1
10ba4907fa965893f03c46b8d48988086cd0791f

SHA256
fea987f5e065745773a49c6acca2e00e7681eb293957e1a5d1e7f9f7c0dc0883

SHA512
81d9e29d6b5dea02b0ab5b7cae1d66d3d2ec05bc8bdb3eb900625c4fef815478a4ddde6e2548b1093ecbd7d48faa18494738d41d4ac19ed34e0803e6249b64d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
4bc059809c872f0b0b0a68c14c957cd7

SHA1
c286456b3f7089c09638b31606b13884686d685a

SHA256
ffece1f280019a4901a7c6436e1f4f79f7ae26ae112a81693c2658cb0ab3c9cd

SHA512
0b859d6c660d2e00efc72d5698837be276f6580391bfade0029013bcab24a77d76f5df32dadbb73a840de04051206c7434e8bb2f2ec1bacb8baebbf55294f269

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
42c007aca96bd99cb6fc8f1c3b71c1e7

SHA1
a0ccede263d23c864d4a0428f691c7ed70a19e4b

SHA256
3f1c31b396a38aa0800d523bdbafde6e364f80d4c0b8a1500855a434a2c931c9

SHA512
8c04fc49e026498f50924ea0eea60718f79457c21fd7c91301478933a2f14a5011d64f259dce4490cb7aea9abb1a8d26ffdbca00d4889c171706e7cabef6893f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
bc974c99996d0c97a142f4243c2d1eee

SHA1
c3fc34e2a09424ad2d170fb1253ec21cb2b3bbc3

SHA256
32b8ebdc684b905d4db150917e543d9594714071b749fb3f8a5eba86044e20df

SHA512
42bcfd5ad91741dc73c48243ca39e79b92397ffb74e9d625d597a127a9fd01cfecec49575c17a6d7682b37e98cbd636571c34a974f9b7c51d2c672209bc98334

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\d6d86903-2389-435b-86f9-7c9aed169cce.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new

Filesize
11.0MB

MD5
602f6a8609d1713a0d0cf1967eba20ee

SHA1
226566d3db64b23795f44bd9dd159bbc5478add5

SHA256
bbcc83940bbcbef2aaec928effec9a7fb98f86be0281309ddaad63364a37a0d6

SHA512
b61e7c3e5cac5d155038a1f028d3cc2518dbcfb4b97ade4e00363352d56d9c8be31974d2ba187b66c511c1715fa5fa92cf79180d4ab7bc769b5ed25761460344

Download Submit
C:\Users\Admin\Downloads\@[email protected]

Filesize
933B

MD5
7e6b6da7c61fcb66f3f30166871def5b

SHA1
00f699cf9bbc0308f6e101283eca15a7c566d4f9

SHA256
4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e

SHA512
e5a56137f325904e0c7de1d0df38745f733652214f0cdb6ef173fa0743a334f95bed274df79469e270c9208e6bdc2e6251ef0cdd81af20fa1897929663e2c7d3

Download Submit
C:\Users\Admin\Downloads\@[email protected]

Filesize
240KB

MD5
7bf2b57f2a205768755c07f238fb32cc

SHA1
45356a9dd616ed7161a3b9192e2f318d0ab5ad10

SHA256
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

SHA512
91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

Download Submit
C:\Users\Admin\Downloads\TaskData\Tor\tor.exe

Filesize
3.0MB

MD5
fe7eb54691ad6e6af77f8a9a0b6de26d

SHA1
53912d33bec3375153b7e4e68b78d66dab62671a

SHA256
e48673680746fbe027e8982f62a83c298d6fb46ad9243de8e79b7e5a24dcd4eb

SHA512
8ac6dc5bb016afc869fcbb713f6a14d3692e866b94f4f1ee83b09a7506a8cb58768bd47e081cf6e97b2dacf9f9a6a8ca240d7d20d0b67dbd33238cc861deae8f

Download Submit
C:\Users\Admin\Downloads\WannaCry.EXE

Filesize
3.4MB

MD5
84c82835a5d21bbcf75a61706d8ab549

SHA1
5ff465afaabcbf0150d1a3ab2c2e74f3a4426467

SHA256
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

SHA512
90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244

Download Submit
C:\Users\Admin\Downloads\WannaCry.EXE:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\b.wnry

Filesize
1.4MB

MD5
c17170262312f3be7027bc2ca825bf0c

SHA1
f19eceda82973239a1fdc5826bce7691e5dcb4fb

SHA256
d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa

SHA512
c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c

Download Submit
C:\Users\Admin\Downloads\c.wnry

Filesize
780B

MD5
93f33b83f1f263e2419006d6026e7bc1

SHA1
1a4b36c56430a56af2e0ecabd754bf00067ce488

SHA256
ef0ed0b717d1b956eb6c42ba1f4fd2283cf7c8416bed0afd1e8805ee0502f2b4

SHA512
45bdd1a9a3118ee4d3469ee65a7a8fdb0f9315ca417821db058028ffb0ed145209f975232a9e64aba1c02b9664c854232221eb041d09231c330ae510f638afac

Download Submit
C:\Users\Admin\Downloads\msg\m_bulgarian.wnry

Filesize
46KB

MD5
95673b0f968c0f55b32204361940d184

SHA1
81e427d15a1a826b93e91c3d2fa65221c8ca9cff

SHA256
40b37e7b80cf678d7dd302aaf41b88135ade6ddf44d89bdba19cf171564444bd

SHA512
7601f1883edbb4150a9dc17084012323b3bfa66f6d19d3d0355cf82b6a1c9dce475d758da18b6d17a8b321bf6fca20915224dbaedcb3f4d16abfaf7a5fc21b92

Download Submit
C:\Users\Admin\Downloads\msg\m_chinese (simplified).wnry

Filesize
53KB

MD5
0252d45ca21c8e43c9742285c48e91ad

SHA1
5c14551d2736eef3a1c1970cc492206e531703c1

SHA256
845d0e178aeebd6c7e2a2e9697b2bf6cf02028c50c288b3ba88fe2918ea2834a

SHA512
1bfcf6c0e7c977d777f12bd20ac347630999c4d99bd706b40de7ff8f2f52e02560d68093142cc93722095657807a1480ce3fb6a2e000c488550548c497998755

Download Submit
C:\Users\Admin\Downloads\msg\m_chinese (traditional).wnry

Filesize
77KB

MD5
2efc3690d67cd073a9406a25005f7cea

SHA1
52c07f98870eabace6ec370b7eb562751e8067e9

SHA256
5c7f6ad1ec4bc2c8e2c9c126633215daba7de731ac8b12be10ca157417c97f3a

SHA512
0766c58e64d9cda5328e00b86f8482316e944aa2c26523a3c37289e22c34be4b70937033bebdb217f675e40db9fecdce0a0d516f9065a170e28286c2d218487c

Download Submit
C:\Users\Admin\Downloads\msg\m_croatian.wnry

Filesize
38KB

MD5
17194003fa70ce477326ce2f6deeb270

SHA1
e325988f68d327743926ea317abb9882f347fa73

SHA256
3f33734b2d34cce83936ce99c3494cd845f1d2c02d7f6da31d42dfc1ca15a171

SHA512
dcf4ccf0b352a8b271827b3b8e181f7d6502ca0f8c9dda3dc6e53441bb4ae6e77b49c9c947cc3ede0bf323f09140a0c068a907f3c23ea2a8495d1ad96820051c

Download Submit
C:\Users\Admin\Downloads\msg\m_czech.wnry

Filesize
39KB

MD5
537efeecdfa94cc421e58fd82a58ba9e

SHA1
3609456e16bc16ba447979f3aa69221290ec17d0

SHA256
5afa4753afa048c6d6c39327ce674f27f5f6e5d3f2a060b7a8aed61725481150

SHA512
e007786ffa09ccd5a24e5c6504c8de444929a2faaafad3712367c05615b7e1b0fbf7fbfff7028ed3f832ce226957390d8bf54308870e9ed597948a838da1137b

Download Submit
C:\Users\Admin\Downloads\msg\m_danish.wnry

Filesize
36KB

MD5
2c5a3b81d5c4715b7bea01033367fcb5

SHA1
b548b45da8463e17199daafd34c23591f94e82cd

SHA256
a75bb44284b9db8d702692f84909a7e23f21141866adf3db888042e9109a1cb6

SHA512
490c5a892fac801b853c348477b1140755d4c53ca05726ac19d3649af4285c93523393a3667e209c71c80ac06ffd809f62dd69ae65012dcb00445d032f1277b3

Download Submit
C:\Users\Admin\Downloads\msg\m_dutch.wnry

Filesize
36KB

MD5
7a8d499407c6a647c03c4471a67eaad7

SHA1
d573b6ac8e7e04a05cbbd6b7f6a9842f371d343b

SHA256
2c95bef914da6c50d7bdedec601e589fbb4fda24c4863a7260f4f72bd025799c

SHA512
608ef3ff0a517fe1e70ff41aeb277821565c5a9bee5103aa5e45c68d4763fce507c2a34d810f4cd242d163181f8341d9a69e93fe32aded6fbc7f544c55743f12

Download Submit
C:\Users\Admin\Downloads\msg\m_english.wnry

Filesize
36KB

MD5
fe68c2dc0d2419b38f44d83f2fcf232e

SHA1
6c6e49949957215aa2f3dfb72207d249adf36283

SHA256
26fd072fda6e12f8c2d3292086ef0390785efa2c556e2a88bd4673102af703e5

SHA512
941fa0a1f6a5756ed54260994db6158a7ebeb9e18b5c8ca2f6530c579bc4455918df0b38c609f501ca466b3cc067b40e4b861ad6513373b483b36338ae20a810

Download Submit
C:\Users\Admin\Downloads\msg\m_filipino.wnry

Filesize
36KB

MD5
08b9e69b57e4c9b966664f8e1c27ab09

SHA1
2da1025bbbfb3cd308070765fc0893a48e5a85fa

SHA256
d8489f8c16318e524b45de8b35d7e2c3cd8ed4821c136f12f5ef3c9fc3321324

SHA512
966b5ed68be6b5ccd46e0de1fa868cfe5432d9bf82e1e2f6eb99b2aef3c92f88d96f4f4eec5e16381b9c6db80a68071e7124ca1474d664bdd77e1817ec600cb4

Download Submit
C:\Users\Admin\Downloads\msg\m_finnish.wnry

Filesize
37KB

MD5
35c2f97eea8819b1caebd23fee732d8f

SHA1
e354d1cc43d6a39d9732adea5d3b0f57284255d2

SHA256
1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e

SHA512
908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

Download Submit
C:\Users\Admin\Downloads\msg\m_french.wnry

Filesize
37KB

MD5
4e57113a6bf6b88fdd32782a4a381274

SHA1
0fccbc91f0f94453d91670c6794f71348711061d

SHA256
9bd38110e6523547aed50617ddc77d0920d408faeed2b7a21ab163fda22177bc

SHA512
4f1918a12269c654d44e9d394bc209ef0bc32242be8833a2fba437b879125177e149f56f2fb0c302330dec328139b34982c04b3fefb045612b6cc9f83ec85aa9

Download Submit
C:\Users\Admin\Downloads\msg\m_german.wnry

Filesize
36KB

MD5
3d59bbb5553fe03a89f817819540f469

SHA1
26781d4b06ff704800b463d0f1fca3afd923a9fe

SHA256
2adc900fafa9938d85ce53cb793271f37af40cf499bcc454f44975db533f0b61

SHA512
95719ae80589f71209bb3cb953276538040e7111b994d757b0a24283aefe27aadbbe9eef3f1f823ce4cabc1090946d4a2a558607ac6cac6faca5971529b34dac

Download Submit
C:\Users\Admin\Downloads\msg\m_greek.wnry

Filesize
47KB

MD5
fb4e8718fea95bb7479727fde80cb424

SHA1
1088c7653cba385fe994e9ae34a6595898f20aeb

SHA256
e13cc9b13aa5074dc45d50379eceb17ee39a0c2531ab617d93800fe236758ca9

SHA512
24db377af1569e4e2b2ebccec42564cea95a30f1ff43bcaf25a692f99567e027bcef4aacef008ec5f64ea2eef0c04be88d2b30bcadabb3919b5f45a6633940cb

Download Submit
C:\Users\Admin\Downloads\msg\m_indonesian.wnry

Filesize
36KB

MD5
3788f91c694dfc48e12417ce93356b0f

SHA1
eb3b87f7f654b604daf3484da9e02ca6c4ea98b7

SHA256
23e5e738aad10fb8ef89aa0285269aff728070080158fd3e7792fe9ed47c51f4

SHA512
b7dd9e6dc7c2d023ff958caf132f0544c76fae3b2d8e49753257676cc541735807b4befdf483bcae94c2dcde3c878c783b4a89dca0fecbc78f5bbf7c356f35cd

Download Submit
C:\Users\Admin\Downloads\msg\m_italian.wnry

Filesize
36KB

MD5
30a200f78498990095b36f574b6e8690

SHA1
c4b1b3c087bd12b063e98bca464cd05f3f7b7882

SHA256
49f2c739e7d9745c0834dc817a71bf6676ccc24a4c28dcddf8844093aab3df07

SHA512
c0da2aae82c397f6943a0a7b838f60eeef8f57192c5f498f2ecf05db824cfeb6d6ca830bf3715da7ee400aa8362bd64dc835298f3f0085ae7a744e6e6c690511

Download Submit
C:\Users\Admin\Downloads\msg\m_japanese.wnry

Filesize
79KB

MD5
b77e1221f7ecd0b5d696cb66cda1609e

SHA1
51eb7a254a33d05edf188ded653005dc82de8a46

SHA256
7e491e7b48d6e34f916624c1cda9f024e86fcbec56acda35e27fa99d530d017e

SHA512
f435fd67954787e6b87460db026759410fbd25b2f6ea758118749c113a50192446861a114358443a129be817020b50f21d27b1ebd3d22c7be62082e8b45223fc

Download Submit
C:\Users\Admin\Downloads\msg\m_korean.wnry

Filesize
89KB

MD5
6735cb43fe44832b061eeb3f5956b099

SHA1
d636daf64d524f81367ea92fdafa3726c909bee1

SHA256
552aa0f82f37c9601114974228d4fc54f7434fe3ae7a276ef1ae98a0f608f1d0

SHA512
60272801909dbba21578b22c49f6b0ba8cd0070f116476ff35b3ac8347b987790e4cc0334724244c4b13415a246e77a577230029e4561ae6f04a598c3f536c7e

Download Submit
memory/3036-2663-0x0000000073A20000-0x0000000073A3C000-memory.dmp

Filesize
112KB

Download
memory/3036-2743-0x0000000000530000-0x000000000082E000-memory.dmp

Filesize
3.0MB

Download
memory/3036-2601-0x0000000073960000-0x00000000739E2000-memory.dmp

Filesize
520KB

Download
memory/3036-2605-0x0000000000530000-0x000000000082E000-memory.dmp

Filesize
3.0MB

Download
memory/3036-2662-0x0000000000530000-0x000000000082E000-memory.dmp

Filesize
3.0MB

Download
memory/3036-2667-0x0000000073850000-0x00000000738C7000-memory.dmp

Filesize
476KB

Download
memory/3036-2666-0x00000000738D0000-0x0000000073952000-memory.dmp

Filesize
520KB

Download
memory/3036-2665-0x00000000739F0000-0x0000000073A12000-memory.dmp

Filesize
136KB

Download
memory/3036-2664-0x0000000073960000-0x00000000739E2000-memory.dmp

Filesize
520KB

Download
memory/3036-2604-0x00000000739F0000-0x0000000073A12000-memory.dmp

Filesize
136KB

Download
memory/3036-2668-0x0000000073630000-0x000000007384C000-memory.dmp

Filesize
2.1MB

Download
memory/3036-2773-0x0000000000530000-0x000000000082E000-memory.dmp

Filesize
3.0MB

Download
memory/3036-2680-0x0000000000530000-0x000000000082E000-memory.dmp

Filesize
3.0MB

Download
memory/3036-2687-0x0000000000530000-0x000000000082E000-memory.dmp

Filesize
3.0MB

Download
memory/3036-2700-0x0000000000530000-0x000000000082E000-memory.dmp

Filesize
3.0MB

Download
memory/3036-2706-0x0000000073630000-0x000000007384C000-memory.dmp

Filesize
2.1MB

Download
memory/3036-2602-0x0000000073630000-0x000000007384C000-memory.dmp

Filesize
2.1MB

Download
memory/3036-2753-0x0000000000530000-0x000000000082E000-memory.dmp

Filesize
3.0MB

Download
memory/3036-2759-0x0000000073630000-0x000000007384C000-memory.dmp

Filesize
2.1MB

Download
memory/3036-2760-0x0000000000530000-0x000000000082E000-memory.dmp

Filesize
3.0MB

Download
memory/3036-2766-0x0000000073630000-0x000000007384C000-memory.dmp

Filesize
2.1MB

Download
memory/3036-2603-0x00000000738D0000-0x0000000073952000-memory.dmp

Filesize
520KB

Download
memory/3288-1155-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download